Artificial intelligence(AI) and deep learning can lead to powerful business insights. Many executives are ready to harness the power of this technology but one main challenge holds them back. Hiring technical talent for cybersecurity is hard enough in itself; hiring technical talent for AI is a much bigger challenge.

This problem was recently faced by the UK’s National Health Service(NHS). Tremendous results have been demonstrated recently using computer vision techniques to identify specific types of illness in medical patients by looking at scans of the patient’s body. Artificial Intelligence has a strong track record of effectively predicting medical conditions such as Cancer, Heart attacks and many other image-based diagnoses.

Medical information is particularly sensitive to medical organizations like the NHS, but it is also among the most lucrative types of PII to cybercriminals. Many freely available AI/machine learning software packages exist such libraries as theano, torch, cntk, and tensorflow. Despite the availability of these tools, many organizations like the NHS do not have sufficient access to experts able to run powerful machine learning tools. Without this type of collaboration many illnesses may go unidentified and people could die. So the NHS* decided to partner with DeepMind, a company acquired by Alphabet/Google. The University of Cambridge and the Economist wrote an article detailing many aspects of the contract.

As a result, DeepMind gets access to 1.6 million medical records and a neat application of its technology, in addition to undisclosed funding. This data includes blood tests, medical diagnostics and historical patient records but also even more sensitive data such as HIV diagnosis and prior drug use. In the sub-discipline of machine learning called Deep Learning, the algorithms are particularly dependent on having a large data corpus.

When an organization is faced with the choice of outsourcing sensitive information to experts, what are the choices? Any organization outsourcing information should redact all personally identifiable information such as name and personal identifiers. This instead can be represented by a pseudonym – a unique mapping such as a hash function – where the unique identifier and the PII are held only by the trusted entity (NHS in this case). Furthermore, semi-sensitive information that would have value to the ML model should be abstracted. For example, geographical location may be a powerful indicator of an illness, but the raw data could be used to reverse-engineer PII of a given patient. In this case binning the information so a little fidelity is lost is an effective trade-off between empowering the AI’s prediction power and protecting patient confidentiality. For example, grouping specific addresses into zip codes or counties may be a nice trade-off in this space.

The tradeoff of security and predictive power will likely be a challenging problem for data owners. AI is able to combine many weak signals and often make surprising conclusions. In one study by CMU researchers found social security numbers were surprisingly predictable, and the AI algorithms could usually reconstruct a SSN from information such as birthdate and gender. So being able to guarantee that AI can’t reconstruct your PII is an unsolved problem, and likely very dependent on the data. However, best-effort strategies like those outlined above can help mitigate against most concerns.

In the future this issue may change significantly. Recent developments in federated learning may allow for increased flexibility where keeping data on premise may become more available. A related technology of homomorphic encryption has been in the works for far longer. In homomorphic encryption the computations occur on encrypted data without ever having to decrypt the data, which would significantly reduce the security concern. We are still years out of technology solving this problem directly. In the interim the promise of the AI benefits are too great for most organizations to wait.

At Anomali, we deal with sensitive information regularly, as we help many organizations around the world winnow down data from across the enterprise and focus on the applicable security threats. We address privacy issues with on-premise deployments such as Anomali Enterprise; or by very tight access controls and data isolation like our Trusted Circles feature for sharing threat intelligence in our Threat Intelligence Platform, ThreatStream.

*The agreement was signed by the Royal Free NHS Trust, a small subordinate component of the much larger NHS. The Royal Free Trust is comprised of three hospitals in London.

Source: Honeypot Tech

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-04-27 14:00:002017-04-27 14:00:00Data Privacy in a World of Outsourced Artificial Intelligence

Threat Intelligence sharing is becoming more mainstream as ISACs and other industry sharing collectives gain popularity. As intelligence sharing becomes more popular, there are some things to consider to get the most out of it. Anomali’s new whitepaper, The Definitive Guide to Threat Intelligence Sharing explores this topic in-depth.

Like many other things, the more you put into sharing threat intelligence, the more you can potentially get out of it. It starts with choosing who to share with. Understanding what is good to share is another import aspect to consider. Most of all, collaborating with those you share with is key to improving the value for everyone involved. Adding context to what is shared, or including extra details observed from your own analysis is an important element of sharing threat intelligence.

Sharing with others in our own industry is the best place to start with sharing intelligence. This is essentially “home” for sharing intelligence and interacting with peers around threats and defenses. For most organizations, this is the full extent of who they share intelligence with and there is nothing wrong with that. There are other considerations for adding additional sharing partners, however. For one, not all attacks come over the Internet; some require a physical presence such as attacks against WIFI infrastructure. Finding local sharing partners, potentially not in your own industry, can be important for localized intelligence sharing. Also important is finding partners to share with outside the echo chamber of your industry or vertical. Sharing within your industry is certainly the best place to start, but looking for organizations to share with beyond your industry as a next step is a good idea.

In addition to sharing intelligence, other considerations might be sharing defensive measures such as YARA rules, snort rules, scripts, system or application configuration tweaks, security tool configurations, and so on. The idea is to collaborate closely with other sharing partners to:

Improve visibility for better intelligence analysis

Deliver stronger defenses that are optimized against observed and perceived threats

Provide a useful vehicle for coordinating intelligence collection and analysis

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Dridex Style Malspam Pushed Locky Ransomware Instead (April 21, 2017)
Researchers have discovered that malspam messages that follow known Dridex formats are instead sending Locky ransomware to recipients. Actors behind this campaign are sending malicious attachments impersonating payment receipts, and PDFs.Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.Tags: Malspam, Malware

MilkyDoor Android Malware uses SSH Tunnels to Access Secure Corporate Networks (April 21, 2017)
An Android malware called “Milkydoor” has been discovered to have been present in approximately 200 applications in the Google Play Store (Google has since removed the malicious applications). Researchers estimate that the malicious applications have been downloaded between 500,000 and one million times. Milkydoor uses SSH tunnels to allow the actors access to internal company networks.Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.Tags: Mobile, Malicious Applications

Cardinal RAT Active for Over Two Years (April 20, 2017)
A new Remote Access Trojan (RAT) called “Cardinal,” has been discovered by Unit 42 researchers. Cardinal has been active for at least two years and is being distributed via malicious macros in Microsoft Excel documents that compile C Sharp source into an executable. Researchers believe that the small amount of samples discovered in the wild is because the malware has remained undetected for an extended period of time.Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.Tags: Malware, RAT

Turn The Light On and Give Me Your Passwords (April 19, 2017)
Android users are being targeted with a banking trojan masquerading as a Flashlight application in the Google Play Store (Google has since removed the application). Researchers discovered that the malicious application called “Flashlight LED Widget” has been downloaded approximately 5,000 times. The trojan contained inside the application is capable of using overlays to target certain applications in order to steal banking information or credit card information.Recommendation: If this application has been downloaded, a user can find in the Settings, Application Manager, and then Flashlight Widget. The application can be uninstalled by booting your device in Safe mode. Even though this application was in the Google Play Store, that is still the safest location to download applications. Additionally, anti-virus applications provided by trusted vendors should be employed.Tags: Mobile, Malicious Applications

InterContinental Confirms Card Data Breach at Over 1,000 Locations (April 19, 2017)
InterContinental Hotels Group (IHG) has issued a statement confirming that approximately 1,000 of its locations in Puerto Rico and the U.S. have been compromised with information stealing malware. The malware searched for cardholder name, card number, expiration date, and internal verification code. They believe that malware was first present in some IHG payment systems on September 29, 2016 and lasted until December 29, 2016. However, IHG did not identify the unauthorized access until their systems were “investigated in February and March 2017” so it is possible that card data was stolen up until that time.Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-sales (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.Tags: Breach, POS

Flaw in Drupal Exposes 120,000 Sites to Attacks (April 19, 2017)
The security team for the open source Drupal platform have discovered a vulnerability in third-party module called “References.” Drupal did not release additional information about the vulnerability to assist in preventing exploitation, however, the team did release a security patch to fix the problem. Additionally, Drupal stated that they will be releasing more information about this vulnerability in the next few weeks.Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Compromised websites

BankBot Trojan Found Lurking on Google Play (April 18, 2017)
An Android banking trojan called “BankBot,” which is based off of leaked source code of a different Android trojan, has been identified to have expanded its target list. Initially the malware was primarily targeting Russian users, but now BankBot is targeting users all over the world in attempts to steal financial data. Researchers discovered a target list that consists of over 400 applications associated with financial institutions around the globe. The malware is being distributed by masquerading as legitimate applications in the Google Play Store, and third-party application stores (Google has since removed the malicious applications).Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Additionally, do not rely on ratings alone for applications in the Google Play Store, further research into the applications is a good mitigation step because sometimes malicious applications make it into legitimate stores.Tags: Mobile, Malicious Applications

Fake LinkedIn Emails Phishing Job Seekers (April 18, 2017)
A new phishing campaign has been identified to be targeting LinkedIn users. The actors behind the campaign are attempting to trick recipients into sending their curriculum vitae (CV). With the plethora of personal information contained in a CV, cybercriminals would be able to sell the information on underground forums or use it to further target individuals with additional phishing attacks.Recommendation: Phishing continues to be one of the easiest ways for cybercriminals to make money quickly with a low level of technical expertise. Educate your employees on the dangers of phishing, how the attacks work, and how to avoid them. This includes the safe and proper use of email as well as web browsing activities.Tags: Phishing

New Karmen Ransomware-as-a-Service Advertised on Hacking Forums (April 18, 2017)
Malware researchers have discovered a new Ransomware-as-a-Service (RaaS) called Karmen that is being advertised on a Russian cybercrime forum. The ransomware creators advertise multiple features, such as sandbox and virtual machine detection capabilities, undetected by anti-virus vendors, and access to a web-based control panel all available for purchase for $175.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.Tags: Ransomware, RaaS

CradleCore Ransomware Sold as Source Code (April 17, 2017)
Forcepoint researchers have discovered threat actors engaging in an interesting tactic while selling a new ransomware dubbed “CradleCore.” The cybercriminals behind the malware are offering the source for purchase for a negotiable price starting at 0.35 Bitcoins ($419). This tactic will likely cause new variants to be observed in the wild in the near future because the available source code will allow actors to customize the ransomware.Recommendation: The ransomware landscape continues to evolve and become a larger cause for concern and potential risk. The use of endpoint prevention systems can make all the difference between infection or not. In the case of any ransomware infection, the victim should avoid paying the ransom, and the infected system should be wiped and reformatted.Tags: Ransomware

This Phishing Attack is Almost Impossible to Detect on Chrome, Firefox, and Opera (April 17, 2017)
Researcher Xudong Zheng has discovered a new phishing attack that affects multiple web browsers. Zheng cautioned that actors can use vulnerabilities in Chrome, Firefox, and Opera web browsers to display fake domains to steal financial and login credentials. The style of attack that affects said web browsers is a “Homograph” attack which uses Unicode characters in the domain name to make a malicious website appear legitimate.Recommendation: Your company should have appropriate anti-virus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locations. Additionally, always ensure that your web browser kept up-to-date with latest versions as soon as possible.Tags: Phishing, Homograph

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.Tags: Locky, Ransomware

Here at Anomali we were especially excited with one initiative the company introduced last year, Adaptive Response. We liked it so much we partnered with Splunk to give security teams a powerful way to integrate Threatstream capabilities within the Enterprise Security workflow using the Adaptive Response framework.

An Introduction to Adaptive Response

Splunk’s Adaptive Response enables security analysts—from hunters to less skilled security staff—to better handle threats. The Adaptive Response Framework resides within Splunk Enterprise Security (ES) and optimizes threat detection and remediation using workflow-based context. Having spent years working with all layers of security teams, I like to think of Adaptive Response as the “security nerve center” to bridge intelligence from multiple security domains, including threat intelligence.

One of the key parts of the Adaptive Response framework is the ability for analysts to automate actions or individually review response actions to quickly gather more context and take appropriate actions across their multi-vendor environment. For an increasing number of people this means comparing security data against threat feeds, or threat intelligence sources like Threatstream.

Anomali Threatstream Splunk App

Introducing Adaptive Response Integration

The Anomali Threatstream Splunk App already provides users the ability to download millions of IOCs directly into Splunk to cross-reference against security data, providing dashboards and alerts for analysis. The app now has support for the Adaptive Response action framework providing seamless integration with Enterprise Security.

Familiar workflows

An analyst will likely start an investigation once a notable event has been triggered in Splunk’s Enterprise Security. It is at this point they want to add as much context to a notable event, or security incident, in order to complete their investigation as quickly and accurately as possible. One way to do this is to compare raw events that trigger notable event against the Threatstream IOC database. For example, an analyst might want to look up the suspicious destination of an event that triggered the notable event in ES, to validate whether it should be of concern.

Perform actions inside Enterprise Security

Within the Enterprise Security Incident Review dashboard an analyst can select to run an “Adaptive Response Action”, in this case “Analyze with Threatstream”. They can then select as many fields in the raw events they want to analyse against Threatstream IOCs. When the analyst runs the action a Threatbullitin will be created within Threatstream and visible within the Threatstream platform.

Bi-directional sync

The Threatbullitin created will contain all incident data and comments from the notable event in Splunk, including the raw event data that triggered the notable event in the first place. Millions IOCs in the Threatstream database are automatically matched against the raw data of the notable event stored in the Threatbullitin to identify matches.

When matches are found they can be examined and triaged in the Threatstream user interface. Users can approve approve malicious indicators and reject those found to be benign. This threat intelligence, including full information about each IOC matched to a notable event can then be pushed back down to your security tools, including back into Splunk using Threatstream Link, to continue any investigation.

Corporate brands are generally thought of as intangible objects that carry the company’s image and reputation. However, your brand is very tangible in the eyes of attackers and can absolutely be targeted and damaged with cyber threats. To prevent such damage, companies can engage in “brand monitoring”. More specifically, this means searching for typosquatting and compromised credentials. While different in intent and practice, both tactics rely on human behaviors to achieve their goals. Such attacks are difficult to detect because the damage can occur outside of a company’s domain, and difficult to prevent because they involve a change in habit rather than corporate policy. In the first part of this series we’ll explore what typosquatting is, why it matters, and what courses of action a company can take to effectively protect their brand.

Typosquatting

Typosquatting (also known as URL hijacking) refers to when malicious 3rd parties will register domains that are similar to legitimate corporate domains. The motives for registering a similar domain are numerous, but all are guaranteed to have a nefarious intent. With a deceptive domain typosquatters have the potential to:

Orchestrate phishing schemes to collect customer credentials

Install malware onto visitor devices

Coerce the targeted company into buying the domain

Redirect traffic to competing or malicious sites

Embarrass the company by displaying inappropriate messaging

The exact variation of the domain will depend on the adversary’s intent. There are two general options- register a domain that looks visually similar or register a domain that looks credible. True to the “typo” part of typosquatting, visually similar domains consist of slight misspellings of either the root domain or country-code top level domain. Potentially credible domains will instead add keywords that viewers won’t find suspicious. For example, malicious domains “anomalibank.com” and “domain.com” might look like:

Such domains might seem obviously fake when examined with scrutiny, but even these examples could be surprisingly effective. Malicious actors know that the most effective attacks are those based on human predispositions, some of which are to be trusting of visual cues and inattentive in routine situations. If a webpage and its domain look similar enough to what an individual is accustomed to then it is unlikely to raise any red flags.

To investigate the widespread use of malicious domains, the Anomali Labs Team released a report of the Financial Times Stock Exchange 100 (FTSE 100 Index). The Anomali Labs Team examined the FTSE 100 companies over a period of three months and found 81 of the 100 companies had potentially malicious domain registrations against them. A total of 527 malicious domains were detected.

What to do About Typosquatting

So what can companies do in response to such a frequent and effective attack? As always, educating employees on the possibility of false domains is critical. Companies can also take large-scale measures to ensure that their brand is protected.

For one, organizations can purchase any domains similar to, or affiliated with, their own. Think of any large company and it’s likely that they currently own “theircompanyname”sucks.com. This is a time-consuming endeavor, but ultimately worthwhile as it prevents malicious actors from forcing them into buying the domain or using it to garner negative publicity.

Unfortunately, many companies are often unable to anticipate which domains might be used against them, and the creativity of malicious actors to dream up confusing or damaging domains seems unlimited. Or they are simply too slow to the draw and those domains have already been registered. In this case organizations can work with any number of 3rd party services to issue take down notices. Companies like Verizon, Lufthansa, and Lego are known to aggressively chase down typosquatters, with Lego having spent upwards of $500,000 to get malicious domains taken down.

Companies can also block any known malicious domains in their proxies or email security products, which protects employees from phishing scams. In this case the malicious domain might not be their own – it could relate to any and all known phishing sites. If such a domain is found, organizations may wish to triage the registrant information to see if there are other associated domains targeting the company.

One of the more effective tools for researching and monitoring malicious typosquatting is a Threat Intelligence Platform (TIP). The ThreatStream platform from Anomali provides users the ability to define base domains – the platform will monitor existing and newly registered domains and flag any similarities. The tool also provides the ability to define more complex pattern detection via Regular Expression matching. A machine learning algorithm is used to make the search for new domain registrations more sophisticated, and those found are added to individual customer threat bulletins. The Anomali Labs team also provides a feed of domains registered by disposable domains that customers can access.

Once a malicious domain is identified, users can then attempt to identify the country of origin, other domains they’ve created, and all IPs associated with the domain. This allows companies to not only investigate suspicious domains, but also to predict a potential attack vector. For example, with the right tools you can discover that a typosquatted domain belongs to an actor who has registered other malicious domains, uses a specific set of IP addresses, and is known to utilize a particular type of attack (phishing, malware, etc). With this information you can then apply appropriate firewall, SIEM, endpoint, IDS/IPS, etc. rules to block and/or monitor for suspicious activity.

Taking Brand Monitoring a step further, organizations should also scan the Dark Web for mentions of corporate domains. Anomali automates this type of scanning and keyword matching and will also scan the Dark Web for internal project names (yes, like the ones you’d hear in movies), mentions of executive names or emails, and company’s public IP ranges.

Concluding Summary

Malicious actors do damage to a company’s reputation and steal data by typosquatting. This tactic relies on predictable human behaviors, and is best mitigated through education, research, and tighter regulations. A Threat Intelligence Platform can simplify the process, and ultimately protect employees, customers, and brands.

Similar reports to the FTSE 100 were conducted for the DAX 100 and OMX 30.

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Shoney’s Hit by Apparent Credit Card Breach (April 14, 2017)
Multiple sources in the financial industry have reported patterns of fraud on their customers’ credit cards that were used at Shoney’s restaurant locations, according to researcher Brian Krebs. The restaurant chain consists of approximately 150 locations that are mostly located in southern states throughout the U.S. Best American Hospitality Corp. released a statement confirming that malware was identified on some of its Point of Sale (POS) terminals. The company believes that an unknown amount of terminals were compromised from December 27 to March 6, 2017 that resulted in the theft of the cardholder name, card number, expiration date, and internal verification code.Recommendation: Customer facing companies that store credit card data must actively defend against POS threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.Tags: POS, Credit card theft

“Callisto Group” Advanced Threat Actor Identified (April 13, 2017)
F-Secure researchers have published a new report detailing activity of an advanced threat actor called “Callisto Group” which they believe has never been previously identified. The group is believed to have been active since at least 2015. Callisto uses both phishing emails that are designed to steal user credentials as well as others that contain malicious attachments. Researchers claim the malware is associated with the Italian software company “HackingTeam.”Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.Tags: Spear phishing

New Breed of Cerber Ransomware Employs Anti-Sandbox Armoring (April 12, 2017)
Researchers have discovered a new strain of the Cerber ransomware that has sandbox detection abilities. The malware will execute in different ways when being hooked to APIs in a sandboxed environment such as crashing the hooking module, calling useless window APIs in a long loop, and stealing API addresses from the main executable.Recommendation: If you run your own malware sandbox you may want to open MS Word (and other Office applications) and open and close several documents in order to populate the Recent Documents list. Also, consider running your Sandbox from a consumer grade cable or DSL line instead of using Amazon or other SaaS providers. Lastly, if you are a security company, you probably should not be sandboxing malware from systems whose IPs are easily associated with your company.Tags: Ransomware

Mole Ransomware Distributed Through Fake Online Word Docs (April 12, 2017)
A new spam email campaign has been discovered to be distributing a new strain of the CryptoMix ransomware family dubbed “Mole.” The emails are masquerading as shipment notifications that imply that an item was not able to be delivered and offers a link for additional information, according to researcher Brad Duncan. The link directs the recipient to a Word document that requests that a new plugin version is needed to properly read the document, but will actually begin to execute the ransomware.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Additionally, educate your employees on the dangers of spam emails and have policies in place regarding who to contact when a malicious email has been identified.Tags: Ransomware, Phishing, Malspam,

Cybercriminals Target Amazon Third-Party Sellers with Password Reuse Attacks (April 11, 2017)
Cybercriminals have been able to gain access to active third-party seller accounts on Amazon by testing previously stolen passwords against them. Actors are then changing the bank account details in order to transfer the revenue from online purchases to their own accounts. Actors are also identifying old and unused third-party accounts and promoting offers with substantial discounts, and again diverting the funds to their own accounts.Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis.Tags: Breached accounts

Ewind – Adware in Applications’ Clothing (April 11, 2017)
Unit 42 researchers have been observing a mobile adware campaign since mid-2016 targeting Android users, and have released information regarding how the actors behind the adware “Ewind” are operating. The actors download a legitimate application, decompile it, add their malicious features, then repackage the Android Application Package (APK). When users download the application they are infected with Ewind that displays advertisements to accumulate revenue for the actors, however, researchers have also discovered that the malware is capable of stealing information and remotely control an infected device.Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.Tags: Adware, Malware

Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day (April 10, 2017)
A new spam campaign has been identified to be sending millions of emails in attempts to distribute malware to for the Dridex botnet. According to Proofpoint researchers, the campaign is primarily targeting organizations located in Australia. The actors behind the campaign are exploiting a new zero-day that affects Microsoft Word. The emails in this campaign have Word Rich Text Format (RTF) documents which, if opened, is capable of executing processes to install the Dridex banking trojan.Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.Tags: Dridex, Malspam, Zero-day

Alleged Spam King Pyotr Levashov Arrested (April 10, 2017)
Pytor Levashov, believed to be behind the alias “Severa,” has been arrested while vacationing in Spain with his family. Severa was a well-known figure on Russian cybercrime websites where he was the moderator of several spam related forums. The U.S. Justice Department believes that Levashov is the partner of American spammer Alan Ralsky, who ran schemes to inflate the value of penny stocks. Researcher Brian Krebs contends that Severa was also behind multiple operations in which he paid virus writers and spammers to install fake anti-virus software onto victims’ machines.Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.Tags: Spam, Botnet

British Payday Loan Firm Wonga Suffers Data Breach (April 10, 2017)
Threat actors have managed to breach the payday loan firm “Wonga,” located in the U.K., according to a statement from the company. Actors have gained access to information consisting of bank account numbers, full names, email addresses, home addresses, partial payment card numbers, phone numbers, and sort codes. This breach is believed to affect approximately 270,000 current and previous customers in Poland and the U.K.Recommendation: Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.Tags: Data breach

Hackers Steal Customer Card Data From GameStop (April 10, 2017)
The video game retail company “GameStop” has acknowledged that a breach has taken place that resulted in credit card information being stolen from gamestop[.]com. Two sources in the financial industry informed researcher Brian Krebs that reports from a credit card processor made it appear that GameStop had been compromised since at least September 2016. Researchers believe that due to the length of the breach, it is possible that other sensitive information was also stolen from GameStop customers.Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Website, Compromise

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.Tags: cerber, ransomware

Underground markets may have originated in the time of Internet Relay Chats (IRCs), but the appearance of cryptocurrencies and anonymous communications like Bitcoin and TOR have allowed these markets to develop far past their genesis. Darknet forums are now a very efficient platform through which to conduct illegal business. Some forums are accessible only via the TOR network, while others are only accessible via traditional web browsing (clearnet). These forums offer a variety of real world and digital items, ranging from illicit drug sales, counterfeit items (passports, driver licenses, bank notes), and weapons, to services such as carding (credit card fraud), PII (personal identifiable information) fraud, 0 day exploits, botnet services, and bulletproof hosting.

Gaining access to some of these forums can be a complicated ordeal, and forums with more extreme vetting tend to have a higher quality of malicious activity. A user might have to compromise and deface a web site of the forum’s choice to gain a full profile, or create a new variant of ransomware. This is suspected to be a primary cause of the recent outbreak of ransomware. Due to the illicit nature of the content and services offered it’s not uncommon for a site to be populated with decoy users from both criminals and law enforcement personnel.

Below we’ll explore the terminology, services, and quality of some of the dark web’s more popular forums. Just don’t get any ideas…

Jargon/Slang

The underground is filled with a heavy amount of jargon and slang that may be unfamiliar. Here are some common terms:

Crypters – tools that encrypt malware in order to bypass detection by Antivirus engines

Binders – tools used to trojanize a legitimate program with a malware sample

Zero-Day exploits – techniques that exploit a previously unpatched vulnerabilities, used by attackers to gain unauthorized access to computing systems.

“FUD” – “fear, uncertainty, and doubt” in the normal security world, in the underground forum world it means “Fully UnDetectable”

“Rippers” – actors on forums identified as ripping off and scamming other users without delivering useful services or contraband

The table below shows a list of common underground marketplaces.

Marketplace Name

Marketplace URL

Tor Site

Clearnet Site

Currency Used

Sky-Fraud

http://sky-fraud.ru/, http://bcbm4y7yusdxthg3.onion/

yes

yes

BTC

Lampeduza

https://lampeduza.cm/

no

yes

BTC

Exploit.in

https://forum.exploit.in/

no

yes

BTC

LeakForums

https://leakforums.net

no

yes

BTC, Paypal

HackForums

http://hackforums.net/

no

yes

BTC, Paypal

TheRealDeal

http://trdealmgn4uvm42g.onion

yes

no

BTC

Alphabay

http://pwoah7foa6au2pul.onion

yes

no

BTC

Sky-Fraud Underground Forum

Sky-Fraud is a Russian underground forum that has been in operation since 2014. Its user base consists of 26k active users all between Russian and English speaking languages.

Access: Free without vetting. This forum is easy for scammers, non-reputable members, law enforcement, and security researchers to access.

Services/Items Offered:

Escrow services

Bulletproof hosting services.

PII (Personal Identifiable Information) and CC (Credit Card) data.

Botnets, Exploits, and Malware.

BlackHat SEO (Search Engine Optimization) and Web design.

Payment Systems: BTC (Bitcoin), Paypal, Webmoney, Entropay

Trustworthiness/Quality: The data found in this forum seems to be low fidelity given the number of amateur hackers that operate on the site.

Lampeduza Underground Marketplace

Lampeduza is a Russian underground forum. This site was previously discussed in 2013 by krebsonsecurity when one of the forum members `rescator` was involved in the sale and distribution of breach related data of a large retailer. In addition, Lampeduza seems to be strongly related with the notorious carding forum `rescator[.]cm`, where credit card data related to the massive series of 2013 retailer breaches was offered for sale.

Access: $50 registration fee plus an invitation code

Services/Items Offered:

Carding

Dump services

Overall credit card fraud

Hacking

Anonymization practices

Spam

Black Hat SEO (Search Engine Optimization)

Trustworthiness/Quality: Data offered in this marketplace seems to be of medium value, challenging prospective buyers with discerning which vendors are credible. The site offers a reputation system in which the user can voice any complaints and action can be taken against the vendor if needed. This is a common feature amongst many of the anonymous marketplaces.

Exploit.in Marketplace

Exploit.in is a Russian language based hacking forum that resembles the operations of other hacking forums such as Leakforums and HackForums. Exploit.in has been in operation since 2007, with around 35k total users. Some areas discussing non-criminal activities are readable by the public, including discussions on web-design, programming, and hardware. Other sections, like security and hacking, virology, anonymity, and marketplace, require a valid user account.

Access: Free, but need to be vouched for by an existing member who can communicate in the forum’s Russian internet slang. Due to a closed registration process, this forum is less polluted with fake accounts.

Services/Items Offered:

Carding services

Bulletproof hosting

Malware distribution services

Zero Day Software vulnerabilities

Malware such as exploit kits, Trojans, and crypters

Trustworthiness/Quality: Much of the value derived from this marketplace lies in the relationships between highly-connected users. Many of the real users have multiple profiles on other forums. Out of the 35k total users on the site:

36 users are vendors.

Only 1 user has an admin designation.

Only 5 users are moderators.

54 users are verified users.

43 users are specialists.

This proportion of real, active accounts to non-active accounts is fairly common amongst forums. It is also compounded by the anonymity of the users. The blacklist complaint threads are useful for weeding out rippers, but this lead to a heavy turn over in vendors. Successful vendors appear to have strong relationships with one another in other forums or venues, allowing each them to vouch for one another. It is likely due to this high amount of turnover that the more interesting vendors seem to create a new profile with new contact information each time they offer new items for sale.

LeakedForums Marketplace

Leakforums surfaced on the hacking scene in 2011, and currently has 1 million users. This marketplace is an initial source of many leaks, and is useful for obtaining copies of well-known malware such as ORCA or Adwind. LeakForums specializes in leaks related with PII, social media accounts and the trade of paid hacker tools (Keyloggers, RATs, Crypters, and Binders).

Access: Free without vetting

Services/Items Offered:

Malware including Njrat, Adwind, and Orcus (free for registered users)

Trustworthiness/Quality: The quality of the data found in this marketplace is very low, and the quality of the forum itself debatable. This is partially due to a high number of amateur criminals attempting to increase their profile but selling very low quality tools. This site also lacks the reputation system that the more mature markets like Alphabay and TheRealDeal have, which makes it harder for a potential buyer to trust in the vendor.

HackerForums Marketplace homepage

HackForums is one of the longest running hacking forums of the internet, and is notorious for housing a large number of amateur hackers. It was founded in 2006 and has approximately 600k total users. The forum covers several topics in information security such as hacking, programming, computer games, web design, and web development, as well as the sale of hacking tools and services. Hackforums was spotlighted this year after the MalwareHunterTeam noted a campaign that appeared to originate from here that used the ORCUS RAT. Krebsonsecurity published an additional article on the authors behind this malware as well.

Access: Free without vetting. This forum is prone to a high number of fake profiles, amateur criminals, scammers, and law enforcement personnel.

Trustworthiness/Quality: Similar to LeakForums, the quality of the data found in this marketplace is very low. This is likely due to the lack of a reputation system or initial vetting of users. This marketplace is useful, though, for downloading a fresh copy of a given RAT builder to help build detection capabilities.

TheRealDeal Marketplace

TheRealDeal is a dark web market that began with an emphasis on zero day exploits. In 2016 this marketplace rose to the public’s attention after several data dumps that involved high-profile organizations. These dumps were offered by a single reputable member of this forum, peace_of_mind.

Access: Free without vetting. Many non-reputable members, security researchers, or law enforcement personnel are part of the marketplace.

Services/Items Offered:

Weapons

Counterfeit items (bank notes, passports, driver’s licenses)

Stolen credit card data

Hacked database dumps

Illicit drugs (MDMA, LSD, pharmacy, cocaine)

Exploits: FUD (Fully UnDetectable by antivirus engines), one-day (vulnerability that has been disclosed but not patched) and zero-day (vulnerability that hasn’t been disclosed).

Trustworthiness/Quality: The quality of services in this marketplace is mixed. Each vendor’s reputation can be determined by their rank as well as the feedback provided in their profile, which means that potential customers must do more research into each vendor. The marketplace also offers the multisig transaction method to provide additional security. There is also a more restricted forum that accompanies the Real Deal which hints at further illegitimate activities (although these activities are hard to verify).

Alphabay Marketplace

The Alphabay market is a newer forum that has sustained considerable growth since its start in 2014. The Tor based market currently houses 240k users.

Access: Free without vetting. Its user base constitutes of a considerable number of suspected security researchers and non-reputable users.

Trustworthiness/Quality: The quality of the products is varied. It’s up to the potential buyer to ensure the vendor has the highest vendor level and trust level. The quality of Credit Card data and Personal Identifiable Information sold in this forum depends upon the vendor. Some of that data comes from compromised e-commerce sites as well as compromised point of sale terminals. Alphabay ensures transactions are secure and seamless by offering the multisig transaction method, and two factor authentication to access the marketplace.

Alphabay also offers what is called Digital contracts. Digital contracts are a system that utilizes the user reputation system to decrease the risk in transactions. Each contract has a cost of five dollars paid to the market admins, although the content of the contract is at the discretion of the users. Digital contracts don’t necessarily eliminate scamming in its entirety, but do help to build trust among members. One interesting aspect of AlphaBay is that it allows users to access the marketplace programmatically via an API.

Conclusion

Underground markets offer a variety of services that are very attractive to criminals from all walks of crime. They provide a fascinating view of how underground economies operate to anyone that has access to a web browser and TOR. Most of the market places are of questionable value, but there are a few handfuls of reputable criminals operating within the forums. The most useful markets are extremely exclusive and hard to access, but the open markets offer an initial view into these communities.

Source: Honeypot Tech

http://firedot.nl/wp-content/uploads/2017/04/image001-1.png5551200Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-04-13 14:02:002017-04-13 14:02:00Shedding Some Light on the Dark Web

Over the past few months I have had the opportunity to talk to so many Anomali customers using our Splunk Commercial App to seamlessly match their data against Threatstream Indicators of Compromise (IOCs). It has been great to see the excitement around the dashboards and insights our app offers that have been able to immediately identify malicious activity then significantly reduce the investigation and troubleshooting time for analysts.

Though the variation of how users interact and use Splunk Apps for security, fraud, and compliance use-cases vary significantly — after all, no organisation is identical. As such, we’ve received lots of customer feedback for new features (email us your requests).

Today we’re thrilled to announce the new and improved Anomali Threatstream Commercial Splunk App 6.0. In this post, I want to cover some of the cool new features we added in this release.

Expanded context-relevant threat intelligence

Threatstream users know and love the context provided for each IOC, including actor and threat bulletin information. We’ve now added actor and threat bulletin information to our Splunk App. You can now understand if you’re suffering a more serious targeted attack from known advisories to help you better prioritise matches.

Enhanced and Updated Dashboards

To help users investigate IOC matches we’ve included lots of new dashboards and views, including the ability to filter and pivot on panels. Ultimately, you want to review IOC matches as quickly and accurately as possible. We’ve reduced the number of steps required for you to analyse any potential threats.

Integration with Splunk Enterprise Security

Splunk’s Enterprise Security App is one of the most widely used SIEM products on the market today. Many of our customers utilise the app’s Incident Review functionality. To avoid disrupting existing workflows, users can now lookup events that triggered a notable event against IOCs, all within Splunk’s Enterprise Security App.

Supercharged searches

All our IOCs are now stored in Splunk KV Stores. I won’t bore you with the technical details here, the important thing is you’ll now see matches are performed much faster than in previous iterations of our app. You can now respond to incidents as they happen.

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-04-11 20:50:002017-04-11 20:50:00Forget the Tax Man: Time for a DNS Security Audit

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Acknowledgement of Attacks Leveraging Microsoft Zero-Day (April 8, 2017)
Threat actors have been observed to be leveraging a Microsoft Office vulnerability via Rich Text Format (RTF) documents delivered with phishing emails. If the attachment is opened, the document will issue a HTTP request to a remote server and retrieve a malicious .hta file disguised as a RTF file. The HTA application will load and execute malicious scripts while displaying the fake document to the user.Recommendation: It is paramount that employees are taught to identify phishing attempts targeting them and your company. Additionally, all software and applications need to be properly maintained and updated with the latest security patches as soon as they become available.Tags: Microsoft, Vulnerability

The Blockbuster Sequel (April 7, 2017)
A new spear phishing campaign has been discovered that is believed to be related to the campaign called “Operation Blockbuster,” according to Unit 42 researchers. Operation Blockbuster is the name given to research conducted into the cyberattacks against the Sony Corporation. The new activity has been identified to be targeting Korean speaking users with spear phishing emails that have attachments impersonating a request form from the Korean security company “Atsoft.”Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.Tags: Spear phishing

Sathurbot: Distributed WordPress Password Attack (April 6, 2017)
Malware has been found being distributed by threat actors via BitTorrent downloads, and directing users to compromised WordPress websites. If these torrents which are advertising themselves as movies are downloaded, users may be infected with the Sathurbot backdoor trojan, according to ESET researchers. Sathurbot is capable of reaching out to a C2 to download additional malware onto an affected machine, in addition to web crawling capabilities that search for WordPress administrator accounts to breach.Recommendation: This story shows the potential dangers of downloading free entertainment media from online locations. The appeal of free access to movies and other forms of entertainment has resulted in many users being infected with malware. These kind of downloads bring with it inherent risk, and policies should be in place that prevent these type downloads from occurring on company networks.Tags: BitTorrent, Sathurbot

Apple Customers Being Targeted in “iCloud Mail” Phishing Scam (April 6, 2017)
A new phishing campaign has been identified to be targeting Apple customers. The phishing emails claim that the recipients must confirm their account information, and provides a link to a fake Apple page that will steal user credentials. After Apple credentials are provided, the scam goes a step further and requests billing and credit card information.Recommendation: The impersonation of legitimate companies in phishing attacks is a frequent tactic used by threat actors. Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.Tags: Phishing, Apple

Targeted Attacks in the Middle East Using Kasperagent and Micropsia (April 5, 2017)
Two new Windows malware families dubbed “Kasperagent” and “Micropsia” have been identified to be primarily targeting organizations located in the Middle East. Additionally, Unit 42 and ClearSky researchers have discovered connections between said malware with two strains of Android malware called “Secureupdate” and “Vamp.” The group behind this campaign are attacking targets with shortened URLs that direct users to malicious websites, masquerading their malware as fake products and mobile applications, and spear phishing emails that advertise fake news.Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). Additionally, mobile devices should always be kept up-to-date with the latest security patches and applications should only be downloaded from official application stores.Tags: Windows, Android, Malware

Operation Cloud Hopper (April 4, 2017)
PwC UK and BAE Systems have released information regarding a cyberespionage campaign that has been targeting Managed IT Service Providers (MSPs) since at least 2016. Researchers have dubbed the campaign “Operation Cloud Hopper.” They believe that a Chinese threat group called “APT10” is responsible and that the group has been active since at least 2009. APT10’s objective appears to be to gather information from MSP networks and their customers from around the world.Recommendation: Defending against APT threats requires an equally advanced and persistent strategy. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place.Tags: APT10, Cyberespionage

Pegasus for Android: Technical Analysis and Findings of Chrysaor (April 4, 2017)
A mobile malware dubbed “Chrysaor” has been identified to be targeting Android users, according to Lookout researchers. Researchers believe that Chrysaor is a continuation of the mobile cyberespionage campaign conducted by the actors behind the iOS malware “Pegasus.” Chrysaor conceals itself in applications located in the Google Play Store and third-party application stores (Google has since removed the malicious applications). The malware is capable of keylogger functions, remotely controlling an infected device via SMS, stealing information from various applications, and taking screen shots, among others.Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.Tags: Mobile malware, Android

ATMitch: Remote Administration of ATMs (April 4, 2017)
Kaspersky Lab researchers have added new information to their initial report regarding cyberattacks targeting ATMs located in 40 countries around the world. The threat group behind these attacks has been active since at least 2016. They target bank networks with PowerShell malware and legitimate Windows tools to escalate privileges until they reach the systems that control ATMs. Actors then install their malware, dubbed “ATMitch” and execute it via Remote Desktop Protocol (RDP).Recommendation: ATM Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed ATMitch infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.Tags: ATM, Malware

Russian-Speaking Turla Joins APT Elite (April 3, 2017)
Kaspersky researchers have published additional information to support their claim that the “Moonlight Maze” cyberespionage campaign from the 1990s, and the current Advanced Persistent Threat (APT) group “Turla” may be the same group. Moonlight Maze was one of the first identified cyberespionage campaigns, and one of the first known APT groups. Researchers discovered the connection between the two groups in further examination of “Penguin Turla” attacks that targeted Linux machines with the open source LOKI2 backdoor. It was discovered that Moonlight Maze binaries were based upon the LOKI2 backdoor, which potentially links the two groups together because it does not appear any other group uses that tool.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.Tags: APT, Turla, Moonlight Maze

Fake SEO Plugin In WordPress Malware Attacks (April 3, 2017)
A malicious plugin has been identified to be infecting WordPress websites with malware over the past several weeks. Researchers estimate that approximately 4,000 WordPress websites have been infected affected by a backdoor masquerading as a legitimate plugin called “WP-Base-SEO.” Actors are likely installing the malicious plugin by conducting a mass scanning of to detect outdated WordPress sites.Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Malicious plugin, WordPress

Social Media Password Provide Easy Route into Corporate Networks (April 3, 2017)
Thycotic researchers have published a report that discusses social media passwords and how they pose a significant risk to company accounts and networks. Thycotic conducted a survey at the RSA conference in February 2017 in which approximately 250 security professionals were involved. Researchers discovered that 50% of those interviewed had not changed their social media passwords for more than a year. The vulnerability exists because many different accounts can be logged in through social media accounts, such as LinkedIn. Thycotic contends that weak password habits for social media accounts, even among security professionals, can be taken advantage of by cybercriminals because many passwords include birthdays, and pet name references. This information can be gathered from social media accounts, and used in attempts to compromise company accounts and networks.Recommendation: Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication, and frequent password changes can help protect trade secrets and other forms of sensitive data.Tags: Password, Vulnerability

That Sound You Hear is Splunk Leaking Data (April 3, 2017)
Researchers have discovered a vulnerability registered as “CVE-2017-5607” that affects Splunk’s JavaScript implementation. The vulnerability can only be exploited if a malicious actor is able to direct a user to a malicious webpage. If a Splunk user visits a malicious webpage, her/his username can be stolen by an attacker, which can then be used to target with phishing attacks.Recommendation: Your company should have appropriate anti-virus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locationsTags: Vulnerability

European Companies Hit with Highly Customizable Ransomware (April 3, 2017)
A new ransomware campaign has been identified to be targeting European-based companies, according to Panda Security researchers. The actors behind the campaign are brute-force attacking companies forward facing Remote Desktop Protocol (RDP) servers. Once a RDP server has been compromised, the attackers can target specific machines on a company’s network. Researchers note that the graphical interface of the ransomware indicates that this campaign is being conducted with a Ransomware-as-a-Service (RaaS).Recommendation: Ensuring that your server is always running the most current software version is crucial. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company’s network. Furthermore, always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.Tags: Ransomware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

REMCOS Backdoor Tool Tip
The REMCOS Backdoor is a publicly available Remote Access Tool. It has been available since 2016 and is under active development. The author, who goes by _Viotto_, offers both free and paid versions at their website `www.breaking-security.net`. REMCOS is currently being used in the wild with malicious intent despite the author’s claims that the tool is for legitimate use only.Tags: REMCOS, RAT

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]